Skip to content
This repository has been archived by the owner on Jan 22, 2024. It is now read-only.

Support for containerd due to Kubernetes 1.20 changes on ARM64 devices #1468

Closed
Shaked opened this issue Mar 4, 2021 · 4 comments
Closed

Support for containerd due to Kubernetes 1.20 changes on ARM64 devices #1468

Shaked opened this issue Mar 4, 2021 · 4 comments

Comments

@Shaked
Copy link

Shaked commented Mar 4, 2021

1. Issue or feature description

Kubernetes is deprecating docker support starting 1.20. As a result of this change we would have to adjust our kubernetes clusters to use containerd as our CRI.

As part of our stack, we use nvidia-docker to make use of our Jetson Xavier GPUs together with k3s and docker as CRI.

I have followed @klueska's comment at containerd/containerd#4834 (comment) and ended up with the following information:

cat /var/lib/rancher/k3s/agent/etc/containerd/config.toml.tmpl
[plugins.opt]
  path = "{{ .NodeConfig.Containerd.Opt }}"
[plugins.cri]
  stream_server_address = "127.0.0.1"
  stream_server_port = "10010"
  enable_selinux = {{ .NodeConfig.SELinux }}
{{- if .IsRunningInUserNS }}
  disable_cgroup = true
  disable_apparmor = true
  restrict_oom_score_adj = true
{{end}}
{{- if .NodeConfig.AgentConfig.PauseImage }}
  sandbox_image = "{{ .NodeConfig.AgentConfig.PauseImage }}"
{{end}}
{{- if .NodeConfig.AgentConfig.Snapshotter }}
[plugins.cri.containerd]
  disable_snapshot_annotations = true
  snapshotter = "{{ .NodeConfig.AgentConfig.Snapshotter }}"
{{end}}
{{- if not .NodeConfig.NoFlannel }}
[plugins.cri.cni]
  bin_dir = "{{ .NodeConfig.AgentConfig.CNIBinDir }}"
  conf_dir = "{{ .NodeConfig.AgentConfig.CNIConfDir }}"
{{end}}
[plugins.cri.containerd.runtimes.runc]
  runtime_type = "io.containerd.runc.v2"
{{ if .PrivateRegistryConfig }}
{{ if .PrivateRegistryConfig.Mirrors }}
[plugins.cri.registry.mirrors]{{end}}
{{range $k, $v := .PrivateRegistryConfig.Mirrors }}
[plugins.cri.registry.mirrors."{{$k}}"]
  endpoint = [{{range $i, $j := $v.Endpoints}}{{if $i}}, {{end}}{{printf "%q" .}}{{end}}]
{{end}}
{{range $k, $v := .PrivateRegistryConfig.Configs }}
{{ if $v.Auth }}
[plugins.cri.registry.configs."{{$k}}".auth]
  {{ if $v.Auth.Username }}username = {{ printf "%q" $v.Auth.Username }}{{end}}
  {{ if $v.Auth.Password }}password = {{ printf "%q" $v.Auth.Password }}{{end}}
  {{ if $v.Auth.Auth }}auth = {{ printf "%q" $v.Auth.Auth }}{{end}}
  {{ if $v.Auth.IdentityToken }}identitytoken = {{ printf "%q" $v.Auth.IdentityToken }}{{end}}
{{end}}
{{ if $v.TLS }}
[plugins.cri.registry.configs."{{$k}}".tls]
  {{ if $v.TLS.CAFile }}ca_file = "{{ $v.TLS.CAFile }}"{{end}}
  {{ if $v.TLS.CertFile }}cert_file = "{{ $v.TLS.CertFile }}"{{end}}
  {{ if $v.TLS.KeyFile }}key_file = "{{ $v.TLS.KeyFile }}"{{end}}
  {{ if $v.TLS.InsecureSkipVerify }}insecure_skip_verify = true{{end}}
{{end}}
{{end}}
{{end}}
[plugins."io.containerd.grpc.v1.cri"]
    [plugins."io.containerd.grpc.v1.cri".containerd]
        default_runtime_name = "nvidia"
        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
            [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.nvidia]
                privileged_without_host_devices = false
                runtime_engine = ""
                runtime_root = ""
                runtime_type = "io.containerd.runc.v1"
                [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.nvidia.options]
                    BinaryName = "/usr/bin/nvidia-container-runtime"

Once set, I have ran sudo service k3s restart and then:

k3s ctr i pull docker.io/jitteam/devicequery:latest
k3s ctr run --rm docker.io/jitteam/devicequery:latest t4
./deviceQuery Starting...

 CUDA Device Query (Runtime API) version (CUDART static linking)

cudaGetDeviceCount returned 35
-> CUDA driver version is insufficient for CUDA runtime version
Result = FAIL

When using docker with runtime=nvidia:

docker run -it --runtime nvidia docker.io/jitteam/devicequery:latest
./deviceQuery Starting...

 CUDA Device Query (Runtime API) version (CUDART static linking)

Detected 1 CUDA Capable device(s)

Device 0: "Xavier"
  CUDA Driver Version / Runtime Version          10.2 / 10.0
  CUDA Capability Major/Minor version number:    7.2
  Total amount of global memory:                 15821 MBytes (16589983744 bytes)
  ( 8) Multiprocessors, ( 64) CUDA Cores/MP:     512 CUDA Cores
  GPU Max Clock rate:                            1377 MHz (1.38 GHz)
  Memory Clock rate:                             1377 Mhz
  Memory Bus Width:                              256-bit
  L2 Cache Size:                                 524288 bytes
  Maximum Texture Dimension Size (x,y,z)         1D=(131072), 2D=(131072, 65536), 3D=(16384, 16384, 16384)
  Maximum Layered 1D Texture Size, (num) layers  1D=(32768), 2048 layers
  Maximum Layered 2D Texture Size, (num) layers  2D=(32768, 32768), 2048 layers
  Total amount of constant memory:               65536 bytes
  Total amount of shared memory per block:       49152 bytes
  Total number of registers available per block: 65536
  Warp size:                                     32
  Maximum number of threads per multiprocessor:  2048
  Maximum number of threads per block:           1024
  Max dimension size of a thread block (x,y,z): (1024, 1024, 64)
  Max dimension size of a grid size    (x,y,z): (2147483647, 65535, 65535)
  Maximum memory pitch:                          2147483647 bytes
  Texture alignment:                             512 bytes
  Concurrent copy and kernel execution:          Yes with 1 copy engine(s)
  Run time limit on kernels:                     No
  Integrated GPU sharing Host Memory:            Yes
  Support host page-locked memory mapping:       Yes
  Alignment requirement for Surfaces:            Yes
  Device has ECC support:                        Disabled
  Device supports Unified Addressing (UVA):      Yes
  Device supports Compute Preemption:            Yes
  Supports Cooperative Kernel Launch:            Yes
  Supports MultiDevice Co-op Kernel Launch:      Yes
  Device PCI Domain ID / Bus ID / location ID:   0 / 0 / 0
  Compute Mode:
     < Default (multiple host threads can use ::cudaSetDevice() with device simultaneously) >

deviceQuery, CUDA Driver = CUDART, CUDA Driver Version = 10.2, CUDA Runtime Version = 10.0, NumDevs = 1
Result = PASS

k3s ctr plugin ls
TYPE                            ID                       PLATFORMS         STATUS
io.containerd.service.v1        introspection-service    -                 ok
io.containerd.content.v1        content                  -                 ok
io.containerd.snapshotter.v1    native                   linux/arm64/v8    ok
io.containerd.snapshotter.v1    overlayfs                linux/arm64/v8    ok
io.containerd.metadata.v1       bolt                     -                 ok
io.containerd.differ.v1         walking                  linux/arm64/v8    ok
io.containerd.gc.v1             scheduler                -                 ok
io.containerd.service.v1        containers-service       -                 ok
io.containerd.service.v1        content-service          -                 ok
io.containerd.service.v1        diff-service             -                 ok
io.containerd.service.v1        images-service           -                 ok
io.containerd.service.v1        leases-service           -                 ok
io.containerd.service.v1        namespaces-service       -                 ok
io.containerd.service.v1        snapshots-service        -                 ok
io.containerd.runtime.v1        linux                    linux/arm64/v8    ok
io.containerd.runtime.v2        task                     linux/arm64/v8    ok
io.containerd.monitor.v1        cgroups                  linux/arm64/v8    ok
io.containerd.service.v1        tasks-service            -                 ok
io.containerd.internal.v1       restart                  -                 ok
io.containerd.grpc.v1           containers               -                 ok
io.containerd.grpc.v1           content                  -                 ok
io.containerd.grpc.v1           diff                     -                 ok
io.containerd.grpc.v1           events                   -                 ok
io.containerd.grpc.v1           healthcheck              -                 ok
io.containerd.grpc.v1           images                   -                 ok
io.containerd.grpc.v1           leases                   -                 ok
io.containerd.grpc.v1           namespaces               -                 ok
io.containerd.internal.v1       opt                      -                 ok
io.containerd.grpc.v1           snapshots                -                 ok
io.containerd.grpc.v1           tasks                    -                 ok
io.containerd.grpc.v1           version                  -                 ok
io.containerd.grpc.v1           cri                      linux/arm64/v8    ok

How could I make this work on my Jetson Xavier?

Thank you
Shaked
@Shaked Shaked mentioned this issue Mar 4, 2021
Open
@klueska
Copy link
Contributor

klueska commented Mar 5, 2021

It looks like your config.toml.tmpl file is in v1 format, but you've added the extensions for the nvidia runtime in v2 format. I'm not sure how those will play together.

Also you add fields that match those higher up in your template, e.g.:

[plugins.cri.containerd]
vs.
[plugins."io.containerd.grpc.v1.cri".containerd] // which is the v2 equivalent of the line above.

Not sure how that is treated either.

@Shaked
Copy link
Author

Shaked commented Mar 8, 2021

@klueska

Thank you for making this clear.

I have tested config.toml.tmpl with the recommended changes, i.e:


[plugins.opt]
  path = "{{ .NodeConfig.Containerd.Opt }}"
[plugins.cri]
  stream_server_address = "127.0.0.1"
  stream_server_port = "10010"
  enable_selinux = {{ .NodeConfig.SELinux }}
{{- if .IsRunningInUserNS }}
  disable_cgroup = true
  disable_apparmor = true
  restrict_oom_score_adj = true
{{end}}
{{- if .NodeConfig.AgentConfig.PauseImage }}
  sandbox_image = "{{ .NodeConfig.AgentConfig.PauseImage }}"
{{end}}
{{- if .NodeConfig.AgentConfig.Snapshotter }}
[plugins.cri.containerd]
  disable_snapshot_annotations = true
  snapshotter = "{{ .NodeConfig.AgentConfig.Snapshotter }}"
{{end}}
{{- if not .NodeConfig.NoFlannel }}
[plugins.cri.cni]
  bin_dir = "{{ .NodeConfig.AgentConfig.CNIBinDir }}"
  conf_dir = "{{ .NodeConfig.AgentConfig.CNIConfDir }}"
{{end}}
[plugins.cri.containerd.default_runtime]
    privileged_without_host_devices = false
    runtime_engine = ""
    runtime_root = ""
    runtime_type = "io.containerd.runtime.v1.linux"

    [plugins.cri.containerd.default_runtime.options]
        Runtime = "/usr/bin/nvidia-container-runtime"

[plugins.cri.containerd.runtimes.nvidia]
    privileged_without_host_devices = false
    runtime_engine = ""
    runtime_root = ""
    runtime_type = "io.containerd.runtime.v1.linux"

    [plugins.cri.containerd.runtimes.nvidia.options]
        Runtime = "/usr/bin/nvidia-container-runtime"
[plugins.cri.containerd.runtimes.runc]
  runtime_type = "io.containerd.runc.v2"
{{ if .PrivateRegistryConfig }}
{{ if .PrivateRegistryConfig.Mirrors }}
[plugins.cri.registry.mirrors]{{end}}
{{range $k, $v := .PrivateRegistryConfig.Mirrors }}
[plugins.cri.registry.mirrors."{{$k}}"]
  endpoint = [{{range $i, $j := $v.Endpoints}}{{if $i}}, {{end}}{{printf "%q" .}}{{end}}]
{{end}}
{{range $k, $v := .PrivateRegistryConfig.Configs }}
{{ if $v.Auth }}
[plugins.cri.registry.configs."{{$k}}".auth]
  {{ if $v.Auth.Username }}username = {{ printf "%q" $v.Auth.Username }}{{end}}
  {{ if $v.Auth.Password }}password = {{ printf "%q" $v.Auth.Password }}{{end}}
  {{ if $v.Auth.Auth }}auth = {{ printf "%q" $v.Auth.Auth }}{{end}}
  {{ if $v.Auth.IdentityToken }}identitytoken = {{ printf "%q" $v.Auth.IdentityToken }}{{end}}
{{end}}
{{ if $v.TLS }}
[plugins.cri.registry.configs."{{$k}}".tls]
  {{ if $v.TLS.CAFile }}ca_file = "{{ $v.TLS.CAFile }}"{{end}}
  {{ if $v.TLS.CertFile }}cert_file = "{{ $v.TLS.CertFile }}"{{end}}
  {{ if $v.TLS.KeyFile }}key_file = "{{ $v.TLS.KeyFile }}"{{end}}
  {{ if $v.TLS.InsecureSkipVerify }}insecure_skip_verify = true{{end}}
{{end}}
{{end}}
{{end}}

And it seems to work with deviceQuery:

docker run -it --runtime nvidia devicequery
./deviceQuery Starting...

 CUDA Device Query (Runtime API) version (CUDART static linking)

Detected 1 CUDA Capable device(s)

Device 0: "Xavier"
  CUDA Driver Version / Runtime Version          10.2 / 10.2
  CUDA Capability Major/Minor version number:    7.2
  Total amount of global memory:                 15821 MBytes (16589983744 bytes)
  ( 8) Multiprocessors, ( 64) CUDA Cores/MP:     512 CUDA Cores
  GPU Max Clock rate:                            1377 MHz (1.38 GHz)
  Memory Clock rate:                             1377 Mhz
  Memory Bus Width:                              256-bit
  L2 Cache Size:                                 524288 bytes
  Maximum Texture Dimension Size (x,y,z)         1D=(131072), 2D=(131072, 65536), 3D=(16384, 16384, 16384)
  Maximum Layered 1D Texture Size, (num) layers  1D=(32768), 2048 layers
  Maximum Layered 2D Texture Size, (num) layers  2D=(32768, 32768), 2048 layers
  Total amount of constant memory:               65536 bytes
  Total amount of shared memory per block:       49152 bytes
  Total number of registers available per block: 65536
  Warp size:                                     32
  Maximum number of threads per multiprocessor:  2048
  Maximum number of threads per block:           1024
  Max dimension size of a thread block (x,y,z): (1024, 1024, 64)
  Max dimension size of a grid size    (x,y,z): (2147483647, 65535, 65535)
  Maximum memory pitch:                          2147483647 bytes
  Texture alignment:                             512 bytes
  Concurrent copy and kernel execution:          Yes with 1 copy engine(s)
  Run time limit on kernels:                     No
  Integrated GPU sharing Host Memory:            Yes
  Support host page-locked memory mapping:       Yes
  Alignment requirement for Surfaces:            Yes
  Device has ECC support:                        Disabled
  Device supports Unified Addressing (UVA):      Yes
  Device supports Compute Preemption:            Yes
  Supports Cooperative Kernel Launch:            Yes
  Supports MultiDevice Co-op Kernel Launch:      Yes
  Device PCI Domain ID / Bus ID / location ID:   0 / 0 / 0
  Compute Mode:
     < Default (multiple host threads can use ::cudaSetDevice() with device simultaneously) >

deviceQuery, CUDA Driver = CUDART, CUDA Driver Version = 10.2, CUDA Runtime Version = 10.2, NumDevs = 1
Result = PASS

Thank you
Shaked

@klueska
Copy link
Contributor

klueska commented Mar 8, 2021

Great to hear. Please close this issue if you consider it resolve now.

@Shaked Shaked closed this as completed Mar 8, 2021
@Shaked Shaked mentioned this issue Mar 11, 2021
Closed
@Shaked
Copy link
Author

Shaked commented Oct 2, 2021

Hey @klueska, any chance you could take a look at k3s-io/k3s#3054 (comment)?

Basically, I had a mistake in my previous comment and nvidia runtime didn't work properly (it didn't mount cuda and other libs).

After fixing it following https://k3d.io/v4.4.8/usage/guides/cuda/, I was curious where I could learn why this solution works and how things actually work behind scene in regards to containerd's configuration file.

Thank you
Shaked

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@klueska @Shaked